Heath Anderson, Director of Information Security and Technology at LogicGate, discusses how to build business and operational resiliency with a governance, risk management and compliance (GRC) program.
Security: What is your background?
Anderson: I started my career in the U.S. Air Force and focused on software design and acquisition, working with corporate partners and government software teams. As we were designing and architecting these new systems, we’d have these security standards that weren’t directly tied to the system’s function. It required you to focus on the intention and best practice of the standard as much as what it said on paper. Through those conversations and design sessions, I found myself catching the information security bug. As other InfoSec professionals will tell you, once you have the bug, good luck. As I grew my knowledge of security best practices and software design, I realized I liked balancing both the technology and security sides, so I migrated to consulting to focus on just that with Protiviti.
In this consultancy role, I nurtured my security “bug” and learned even more. As I moved closer to businesses’ security initiatives, I began working with companies who’d leverage our teams for more guidance and me as they either identified they needed to make information security a core competency or they were entering or dealing with changing regulatory requirements and needed help evolving their security practices to align to those requirements. My team and I would assess the company’s needs and then guide them through deploying those new processes and tools to help them reach the next level of their information security journey.
More recently, in my role at LogicGate, I’ve continued that same focus of taking security programs up another level — focusing on prioritization of new security capabilities, calling out where we’re still crawling, and identifying other areas where we’re ready to run from a process and technical perspective.
Security: What are some best practices to build organizational resiliency?
Anderson: From my experience, organizational resiliency can only succeed if it starts at the top. The first step is for leaders to open the door to talk strategically about resiliency as part of their budgets and operational efficiency review. An example of this dynamic could be a leader in the budget overview asking the question, “Who are our ‘can’t replace’ vendors that are line items in this budget?”
Once that door is opened with those types of questions, the goal of the risk team is to help operational teams shape how resiliency is measured and reported. This can take many forms, but the net effect should provide more data points to shape key budget line items that lead to more resilient processes or tools. Once leadership sees this value, the risk teams should work with the individual teams to determine whether or not to prioritize it. In all of this, the challenge risk teams face is how to correlate resiliency with business success. It’s hard to talk about probabilities and risks and not lose the finance and sales team.
Where I’ve seen success — and what is quickly becoming a best practice — is when risk teams align their reporting to talk “apples to apples” to finance and other stakeholders to demonstrate how resilience can be a strategic advantage and help get the company aligned on an overall risk posture.
To get here, I have found the following to be beneficial:
- Risk Quantification and turning those high and critical risks into dollars and cents from an impact perspective
- Moving from talking about risks individually and instead to trending risks on a per-domain basis to focus on where more attention and potential resources are needed (a sales leader would love the backing of why he needs more staff to prevent the risk of churn of business)
- Finally, taking a service-based reporting approach to SLAs and tying them to strategic objectives (by tightening this availability SLA, we are able to reduce our margins to our customers by X%, saving Y dollars)
The framing around resilience should be on how much of a strategic advantage it can be to the business, and just changing communications to focus on those elements can go a very long way to getting the risk team a seat at the table to drive and influence those critical processes that can be underserved when we only think about efficiency and “running lean.”
Security: How can businesses balance efficiency and resiliency in risk management?
Anderson: For many businesses, 2020 proved to be quite a wake-up call. Companies had to navigate disruption, uncertainty, and other unique challenges. Thus we saw a major refocus on the idea of resilience. Gartner defines organizational resilience as how quickly organizations recover from adversity. We’ve seen how resiliency matters — it’s critical for employee morale, work environments, and business success. Companies should define and implement an enterprise risk management (ERM) strategy to balance efficiency and resiliency.
This strategy helps risk managers identify, assess, and address dangers or potential for disaster that negatively impact business operations and objectives. ERM allows organizations to define and manage possible risks to people, projects and profit. Leadership should embrace a proactive risk management approach that quantifies and prioritizes risk. It’s efficient because organizations able to identify risky areas can proactively mitigate them.
It’s too easy to overlook resiliency in favor of efficiency — but doing so leaves employees and companies vulnerable. Businesses must strike a balance between the two to thrive. Building long-term resilience requires planning and strategy. Leaders must identify where business risk might derail operations. A risk stratification process allows companies to identify — and address — their biggest resiliency risks.
Security: What does GRC look like in a post-pandemic landscape, especially with returning to our workplaces?
Anderson: Last year, many companies had to decide very quickly to go remote. From both a security and general IT perspective, pivoting from having zero or a limited number of employees remote to all remote requires quick thinking and sacrifices to keep the business rolling and secure. Moving forward, there’s a high likelihood that there will always be a segment of the company working remotely, so it’s vital that security is always supported and speaks back to business considerations.
What keeps me up at night is making sure that we’re keeping things secure and safely doing things and continuing to support both remote and on-site employees in a repeatable fashion.
Regardless of whether companies are all in office, all virtual or hybrid beyond the pandemic, GRC remains critical. The risk landscape is crowded and interconnected, and that won’t change. There are many forces at work like:
- A continually evolving, constantly changing scope of regulatory compliance.
- More access points with blockchain, IoT and third parties — accelerating digitization of risk management adds vulnerability and increases risk.
- More sophisticated analytics capable of delivering better levels of insight for data-driven decision-making.
- An expanded view of risk management as a valuable part of corporate strategy — not just a tactical function.
As we advance, it’s essential to cultivate a risk-aware culture where everyone understands the importance of ERM and treats it as a team sport. Each employee should feel empowered to recognize and act on (or alert someone) something that feels off. You can’t silo ERM and organizational resilience — for it to be most effective, it should be a company-wide effort.
Security: How vital are GRC tools to manage operations and ensure a company’s meeting compliance and risk standards? What features should a GRC tool have?
Anderson: I think GRC tools are critical for managing operations and meeting compliance and risk standards. For example, it’s crucial to develop protections that test device and location safety while operating under the principle that whoever’s attempting to join is malicious or has the potential to be malicious. Zero-trust will be significant.
One of my focuses includes figuring out where we can replace manual processes with automation. Automated GRC systems should include:
- Content/document management. Software should accommodate paperless workflows and facilitate collaboration with secure file sharing
- Risk data management and analytics. Software should be able to analyze and assess risks while providing recommendations for future mitigation.
- Workflow and audit management. Software needs to address the appropriate financial, procedure, resource or other audits as required.
- A dashboard with key performance metrics. The system should have customizable, flexible and robust tools — and you should be able to export collected data into commonly used file types for easy review.
- The ability to integrate into larger tech stacks for efficiency and productivity.
I think we’ll see a dissolution of the silos that have historically made it difficult to disseminate information organization-wide. In some cases, it’ll be the democratization of controls. Rather than one person or one team owning all controls, there’ll be relationships established where one person does the process and sends it to the team via automation, so there’s less oversight but more critical details. More people will be closer to the security piece versus it being in a silent team.
Risk management and operational management teams should provide data-driven information to their leadership teams with more consistency. Companies choosing to democratize GRC may find it necessary to create new roles to facilitate information exchange, informed planning and strategic decision-making. Leadership should imbue these roles with the ability and authority to make informed decisions. Adopting this approach enables companies to “hedge their bets” against future environmental or other disruptions via more effective operational resiliency and effective risk management processes.